Hi,
I have two Wan interfaces, 1 and 2. Wan 1 is set for vlan 10 and Wan 2 for vlan 60.
To be able for computers on vlan 60 use the wan 2 internet, I created a Policy Route below:
The problem:
There is an http server in vlan 10 that hosts a website and it is listening in wan 1 IP (already set in Fortigate and on Http Server).
Computers on vlan 10 can open the website using the wan "1" IP but computers on vlan 60 can't reach the website. But vlan 60 can ping the wan "1" IP.
When I disable the policy route created before, vlan 60 can open the website normally.
What is the problem?
Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Ragno,
Sorry I should have noted by the screeshot that the FOS versio it's 5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.
Regards,
Antonio
Is the virtual IP for the HTTP server configured with interface any? Can you try to add another policy before this one, with the destination of the HTTP server and the wan1 interface?
oheigl wrote:Is the virtual IP for the HTTP server configured with interface any? Can you try to add another policy before this one, with the destination of the HTTP server and the wan1 interface?
Currently now the virtual IP is set this way, isn't right?
hi Ragno,
ragno wrote:Computers on vlan 10 can open the website using the wan "1" IP but computers on vlan 60 can't reach the website. But vlan 60 can ping the wan "1" IP.
When I disable the policy route created before, vlan 60 can open the website normally.
What is the problem?
If you think about PBR goal this is the expected behavior since the policy route was defined with destination 0.0.0.0/0 (any) and any protocol ... Pbr replaces/override the normal routes lookup then traffic is forced to be forwarded to specified gateway (if up / present in the FIB)..
Just add a PBR entry before (evaluation top/down first match) with source vlan60_subnet destination wan1_subnet and action stop policy routing.
Regards,
Antonio
Antonio Milanese wrote:Just add a PBR entry before (evaluation top/down first match) with source vlan60_subnet destination wan1_subnet and action stop policy routing.
Antonio,
Should I do this setting by command line?
I can't find the suggested option to stop the policy routing on the menu, by going "Router > Static > Policy Routes"
Hi Ragno,
Sorry I should have noted by the screeshot that the FOS versio it's 5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.
Regards,
Antonio
Antonio Milanese wrote:Worked!! Thank you!Hi Ragno,
Sorry I should have noted by the screeshot that the FOS versio it's 5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.
Regards,
Antonio
Hello,
In above scenario, i cant access with name (Ex: abcd.com) instead of IP address. Any suggestions.
Regards
Naveen.D
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.